embedding covert channels into tcp ip

7/28/2019 Embedding Covert Channels Into TCP IP

1/40

CMSC 691I Clandestine Channels

Embedding Covert

Channels into TCP/IPS.J. Murdoch, S. Lewis

University of Cambridge, United Kingdom7th Information Hiding Workshop, J une 2005

Sweety Chauhan

October 26, 2005


2/40

CMSC 691I2

Clandestine Channels

Overview

New and Significant

Overview of Covert Channels

TCP/IP based Steganography Detection of TCP/IP Steganography

Conclusion


3/40

CMSC 691I3


New and Significant

Proposed a scheme Lathra for encoding

data in TCP/IP header not detected by

warden

A message can be hidden so that an

attacker cannot demonstrate its existence

without knowing a secret key


4/40

CMSC 691I4


Covert Channels

Communication in a non-obvious manner

Potential methods - to get information out

of the security perimeter Two Types:

Storage

Timing


5/40

CMSC 691I5


Types of Covert Channels

Storage Timing

Information conveyed

by writing or abstainingfrom writing

Information conveyed

by the timing of events

Clock not needed Receiver needs clock


6/40

CMSC 691I6


Where is this relevant?

The use of covert channels is relevant in

organizations that:

restrict the use of encryption in theirsystems

have privileged or private information

wish to restrict communication

monitor communications


7/40

CMSC 691I7


Network Covert Channels

Information hiding

placed in network headers AND/OR

conveyed through action/reaction Goal - channel undetectable or unobservable

Network watchers (sniffer, IDS, ..) will not be

aware that data is being transmitted


8/40

CMSC 691I8


Taxonomy (I)

Network covert channels can be

Storage-based

Timing-basedFrequency-based

Protocol-based

any combination of the above


9/40

CMSC 691I9


Taxonomy (II)

Each of the above categories constitute a

dimension of data

Information hiding in packet payload is

outside the realm of network covert channels

These cases fit into the broader field of

steganography


10/40

CMSC 691I10


Packet Header Hiding

IP Header TCP Header DATA

20-64 bytes 20-64 bytes 0-65,488 bytes

IP Source Address

IP Destination Address

TCP Source Port

TCP Destination Port

This is Information

Assurance Class

TCP/IP Header can serve as a

carrier for a steganographic

covert channel


11/40

CMSC 691I11


IP Header

0-44

bytes

Fields that may be used to embed steganographic data


12/40

CMSC 691I12


TCP Header

0-44

bytesTimestamp


13/40

CMSC 691I13


Storage Based

Information is leaked by hiding data in

packet header fields

IP identification

Offset

Options

TCP Checksum

TCP Sequence Numbers


14/40

CMSC 691I14


Timing Channels (I)

Information is leaked by triggering or

delaying events at specific time intervals


15/40

CMSC 691I15


Timing Channels (II)


16/40

CMSC 691I16


Frequency Based (I)

Information is encoded over many

channels of cover traffic The order or combination of cover channel

access encodes information


17/40

CMSC 691I17


Frequency Based (II)


18/40

CMSC 691I18


Protocol Based

Exploits ambiguities or non-uniform

features in common protocolspecifications


19/40

CMSC 691I19


Traditional Detection Mechanisms

Statistical methods

Storage-based Data analysis

Time-based Time analysis

Frequency-based Flow analysis


20/40

CMSC 691I20


Threat Model

Passive Warden Threat Model

Active Warden Threat Model


21/40

CMSC 691I21


IP Covert Channel

IP allows fragmentation and reassembly of

long datagrams, requiring certain extra

headers

For IP Networks: Data hidden in the IP header

Data hidden in ICMP Echo Request and Response Packets

Data tunneled through an SSH connection

Port 80 Tunneling, (or DNS port 53 tunneling)

In image files


22/40

CMSC 691I22


IP ID and TCP ISN Implementation

Two fields which are commonly used to

embed steganographic data are the IP IDand TCP ISN

Due to their construction, these fields

contain some structure Partially unpredictable


23/40

CMSC 691I23


Detection of TCP/IP Steganography

Each operating system exhibits well defined

characteristics in generated TCP/IP fields can be used to identify any anomalies that may

indicate the use of steganography

suite of tests applied to network traces to identify whether the

results are consistent with known operating systems


24/40

CMSC 691I24


IP ID Characteristics

1. Sequential Global IP ID

2. Sequential Per-host IP ID

3. IP-ID MSB Toggle

4. IP-ID Permutation


25/40

CMSC 691I25


TCP ISN Characteristics

5. Rekey Timer

6. Rekey Counter

7. ISN MSB Toggle8. ISN Permutation

9. Zero bit 15

10. Full TCP Collisions11. Partial TCP Collisions


26/40

CMSC 691I26


Explicit Steganography Detection

12. Nushu Cryptography encrypts data before including it in the ISN field

results in a distribution which is different from normally

generated by Linux and so will be detected by the otherTCP tests


27/40

CMSC 691I27


13. TCP Timestamp If a low bandwidth TCP connection is being used to

leak information

a randomness test can be applied to the leastsignificant bits of the timestamps in the TCP

packets

If too much randomness is detected in the LSBs

a steganographic covert channel is in use


28/40

CMSC 691I28


14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set)

excessive fragmentation

use of IP options

non-zero padding

unexpected TCP options (e.g. timestamps from

operating systems which do not generate them)

excessive re-ordering


29/40

CMSC 691I29


Results


30/40

CMSC 691I30


Detection-Resistant TCP

Steganography Schemes

Lathra - Robust scheme, using the TCP

ISNs generated by OpenBSD and Linux as

a steganographic carrier

Simply encoding data within the least

significant 24 bits of the ISN could be

detected by the warden


31/40

CMSC 691I31


Conclusion

TCP/IP header fields can be used as a

carrier for a steganographic covert channel

Two schemes for encoding data with ISNs

generated by OpenBSD and Linux indistinguishable from those generated by a

genuine TCP stack


32/40

CMSC 691I32


Future Work

Flexible covert channel scheme which can

be used in many channels

Create a protocol for jumping between

multiple covert channels

New schemes to detect different encoding

mechanisms in TCP/IP Header fields


33/40


34/40

CMSC 691I34


Thanks a lot

For Your

Presence


35/40

CMSC 691I35


Any Questions


36/40

CMSC 691I36


Homework

Presentation Slides and Research Papers are available at :

www.umbc.edu/~chauhan2/CMSC691I/
http://www.umbc.edu/~chauhan2/CMSC691I/http://www.umbc.edu/~chauhan2/CMSC691I/


37/40

CMSC 691I37


Covert Channel Tools

SSH (SCP, FTP Tunneling, Telnet Tunneling, X-

Windows Tunneling, ...) - can be set to operate on

any port (


38/40

CMSC 691I38


Linux 2.0 ISN Generator


39/40

CMSC 691I39


Linux ISN and ID generator


40/40

CMSC 691I40


Open BSD ISN generator

embedding covert channels into tcp ip

Documents